| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <7973F81B-FDA4-46EE-B4AF-2206BCB24861@linux.ibm.com>
Date: Tue, 3 Feb 2026 15:12:28 +0530
From: Venkat <venkat88@...ux.ibm.com>
To: David Howells <dhowells@...hat.com>
Cc: Michael Kelley <mhklinux@...look.com>,
Sami Tolvanen <samitolvanen@...gle.com>,
Lukas Wunner <lukas@...ner.de>, Ignat Korchagin <ignat@...udflare.com>,
Jarkko Sakkinen <jarkko@...nel.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
Eric Biggers <ebiggers@...nel.org>,
Luis Chamberlain <mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>,
Daniel Gomez <da.gomez@...nel.org>,
"Jason A . Donenfeld" <Jason@...c4.com>,
Ard Biesheuvel <ardb@...nel.org>,
Stephan Mueller <smueller@...onox.de>,
"linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
"keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
"linux-modules@...r.kernel.org" <linux-modules@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v15 6/7] modsign: Enable ML-DSA module signing
> On 2 Feb 2026, at 5:18 PM, David Howells <dhowells@...hat.com> wrote:
>
> Michael Kelley <mhklinux@...look.com> wrote:
>
>> Pardon my ignorance of the signing details, but I don't see an indication
>> of having selected PKCS#7 with SHA1 in my .config. What am I looking for?
>
> Actually, if you have openssl >= 1.0.0 then it sign-file will be built to use
> CMS rather than PKCS#7, and will use the configured hash algo, so you can
> ignore this.
>
>> The symbols CMS_NO_SIGNING_TIME,
>
> I can probably just not add that.
>
>> EVP_PKEY_is_a()
>
> I guess I can probably make this contingent on >= 3.0.0.
>
>> and OPENSSL_VERSION_MAJOR don't exist in the include/openssl/* files for
>> that old version.
>
> I should probably use OPENSSL_VERSION_NUMBER instead - though we already use
> it for selecting #includes (I guess #if doesn't complain).
>
> Do the attached changes work for you?
>
> David
> ---
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 547b97097230..78276b15ab23 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -27,7 +27,7 @@
> #include <openssl/evp.h>
> #include <openssl/pem.h>
> #include <openssl/err.h>
> -#if OPENSSL_VERSION_MAJOR >= 3
> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> # define USE_PKCS11_PROVIDER
> # include <openssl/provider.h>
> # include <openssl/store.h>
> @@ -323,18 +323,21 @@ int main(int argc, char **argv)
> CMS_DETACHED |
> CMS_STREAM |
> CMS_NOSMIMECAP |
> +#ifdef CMS_NO_SIGNING_TIME
> CMS_NO_SIGNING_TIME |
> +#endif
> use_keyid;
>
> - if ((EVP_PKEY_is_a(private_key, "ML-DSA-44") ||
> - EVP_PKEY_is_a(private_key, "ML-DSA-65") ||
> - EVP_PKEY_is_a(private_key, "ML-DSA-87")) &&
> - OPENSSL_VERSION_MAJOR < 4) {
> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
> + if (EVP_PKEY_is_a(private_key, "ML-DSA-44") ||
> + EVP_PKEY_is_a(private_key, "ML-DSA-65") ||
> + EVP_PKEY_is_a(private_key, "ML-DSA-87")) {
> /* ML-DSA + CMS_NOATTR is not supported in openssl-3.5
> * and before.
> */
> use_signed_attrs = 0;
> }
> +#endif
>
> flags |= use_signed_attrs;
>
Tested this, and build is successful. Please add below tag.
Tested-by: Venkat Rao Bagalkote <venkat88@...ux.ibm.com>
Regards,
Venkat.
Powered by blists - more mailing lists